A new email scam impersonating cryptocurrency exchange Binance is tricking users into downloading malware disguised as a desktop app promising access to “TRUMP coin.” Cybersecurity firm Cofense, who first spotted the scam, warns that victims who follow the instructions unwittingly install a remote access tool (RAT) called ConnectWise, giving attackers full control of their computers within minutes.
The Attack
The emails, sent under the name “Binance,” urge recipients to claim newly launched Trump-themed cryptocurrency. A link directs users to a counterfeit Binance website that mimics official branding, complete with security warnings to appear authentic. Instead of delivering digital coins, the site asks visitors to download “Binance Desktop,” a malicious installer for ConnectWise RAT.
According to Cofense’s blog post, the fake emails and websites avoid directly copying Binance’s official pages but splice genuine images and design elements to create a believable facade. Researchers also noted sneaky tricks, like including a “risk warning” disclaimer, add a false sense of legitimacy.
The download link leads to a Russian-hosted domain (binance-web3comru) hosting the malware. Two other malicious sites linked to this scam include klclick2com and shopifycoursesstore.
Unlike typical RAT campaigns, where hackers may wait days to act, this group jumps into action as soon as the device is infected. Researchers observed attackers connecting to compromised devices in under two minutes. Once in control, they hunt for stored passwords in browsers like Microsoft Edge, bypassing the malware’s limited data-theft features by manually extracting credentials.
Why This Matters?
Jason Soroko, Senior Fellow at Sectigo, commented on the general tactic, noting that current events often provide perfect bait for such scams. He explained that by linking their schemes to trending topics, cybercriminals make their messages seem more believable and urgent, pushing people to act quickly without thinking.
“Topical events serve as fertile ground for social engineering, offering attackers a ready-made script that exploits real-time urgency and widespread public attention,” said Jason. “By aligning phishing messages and malicious campaigns with trending news or current events, cybercriminals enhance credibility and evoke strong emotional reactions, prompting hasty actions from potential victims.”
Scammers Won’t Stop Exploiting Trump’ Coin Hype
This isn’t the first time scammers have exploited Trump’s involvement in the crypto world. In July 2024, fraudsters used false reports of Trump’s assassination to push crypto scams. A year earlier, in July 2023, a phishing campaign targeted his supporters with fake websites designed to steal crypto donations.
In September 2024, cybercriminals went after Trump’s newly announced digital trading cards, using phishing sites, fake domains, and social engineering tactics to steal sensitive data.
